[debian-mysql] Bug#510875: mysql-server-5.0: does not ask for a password for `root' by default
Ansgar Burchardt
ansgar at 2008.43-1.org
Mon Jan 5 15:12:43 UTC 2009
Package: mysql-server-5.0
Version: 5.0.32-7etch8
Severity: grave
Tags: security
Justification: user security hole
Hi,
The question asking for the administrative password has a priority of
`medium'. Debconf's default is to ask only questions of at least
priority `high' since 1.4.61 (and d-i apparently sets this value by
default even longer).
This results in an empty root password by default. Every user which
can connect from `localhost' has then full administrative privileges.
The only thing he has to do is run `mysql -u root'.
The question for the password should at least have priority `high' (or
even `critical'[1]).
Regards,
Ansgar
[1] Debconf's own configuration suggests this priority to newbies.
More information about the pkg-mysql-maint
mailing list